Researchers Bypass ASLR Protection On Intel Haswell CPUs

An anonymous reader writes: "A team of scientists from two U.S. universities has devised a method of bypassing ASLR (Address Space Layout Randomization) protection by taking advantage of the BTB (Branch Target Buffer), a component included in many modern CPU architectures, including Intel Haswell CPUs, the processor they used for tests in their research," reports Softpedia. The researchers discovered that by blasting the BTB with random data, they could run a successful collision attack that reveals the memory locations where apps execute code in the computer's memory -- the very thing that ASLR protection was meant to hide. While during their tests they used a Linux PC with a Intel Haswell CPU, researchers said the attack can be ported to other CPU architectures and operating systems where ASLR is deployed, such as Android, iOS, macOS, and Windows. From start to finish, the collision attack only takes 60 milliseconds, meaning it can be embedded with malware or any other digital forensics tool and run without needing hours of intense CPU processing. You can read the research paper, titled "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR," here.

Kinda makes you wonder...

[Narcocide]

... was it ever worth it?

Re:Kinda makes you wonder...

[wierd_w]

no. locks keep honest people honest. when you decide the user cant be trusted, all pretense of keeping honesty in the mix evaporates.

the responsibility for a system lays at the foot of the user. nobody else.

Re:Kinda makes you wonder...

Eh, it's still worth it. I think that these other layers shouldn't be discussed in the same manner as a "lock" type layer though. These are more properly "mitigations", things that are supposed to help some of the time, increase time to entry, increase the burden of resources required for an attack like this. There's merit in there.

Re:Kinda makes you wonder...

[AHuxley]

It sold as protection to big brands for a generation. So it was worth it to a few brands shareholders.

Re:Kinda makes you wonder...

[bytesex]

Of course it does. ASLR does not just protect you from local exploits, but also from remote ones.

Re: Kinda makes you wonder...

Absolutely. Denying users root access to their hardware increases security. Google said so.

Re:Kinda makes you wonder...

The paper doesn't make a big dent into the randomization. Not today anymore. Most systems are virtualized and hosts and VMs monitored. Enforcing processes to share a core on a 'public' facing system (VM) is a lot harder than on bare metal. System performance degradation also wont go unnoticed and many orchestration tools will just kill the degraded VM and spawn a new one.

Re:Kinda makes you wonder...

[peragrin]

The user is only part of the problem it is the admin that you have to worry about. or more specifically the user who thinks they are an admin.

Would you jump into the pilot's seat of a helicopter and steal it, just because you saw a video of a helicopter flying?

That is how the average user admin's their computer with the predictable result.

Computers are massively complicated machines, with millions of interconnected parts and most don't understand how they connect together and have issues. So you have to dumb down basic admin to stupid levels, just for security and safety.

Re:Kinda makes you wonder...

[Lumpy]

If you think it's there to protect the computer and OS you are horribly uneducated about it.

It's there to protect the precious software IP from dirty evil YOU. so you cant disable DRM and make a copy.

That is the only reason this crap exists in modern processors. Intel is King of DRM and they are trying to keep it that way.

Re: Kinda makes you wonder...

I like to think of wll these 'advanced malware protections' as the same thing : CCTV.
In essence, CCTV is mostly useless unless actively watched, like a hawk.
It provides indirect evidence of something that was already not prevented.

Re: Kinda makes you wonder...

[Impy+the+Impiuos+Imp]

I remember when Windows started denying user permission to delete system files, which made manual virus recovery impossible.

I have had to do 3 reinstalls over the years because I couldn't remove such files, and neither could the virus detector.

At one point I had the virus detector running in a loop removing what it could, which fought the virus to a standstill so the computer could be used, but some deeply-rooted thing kept reinstalling it.

Re: Kinda makes you wonder...

[phantomfive]

You should re-install after a virus anyway. You don't know which files it secretly infested.

Re: Kinda makes you wonder...

I don't have a virus infection, but I do have a bunch of fonts that I'd like to remove. Through the fonts interface, I can only remove them one at a time (and there are about 150 that I want to get rid of). In theory, if I deleted the fonts files and rebooted, Windows would just not see the files and the fonts would be gone. But Windows won't let me delete the files. I have gone as far as booting into a recovery console, but I still can't seem to delete them. I finally gave up.

ASLR was a dumb idea while it lasted

Here's a better idea. Don't run malware.

Re:ASLR was a dumb idea while it lasted

[wierd_w]

define malware.

this would be useful for killing some of the more nasty forms of drm, for instance. a runtime patcher could learn exactly where to patch, and booya.

the more idiots trying to count chickens before they hatch thart get their eggs smashed, the happier i am. maybe they will one day learn that they cant have *all* of the pie, no matter how much they want it.

Re:ASLR was a dumb idea while it lasted

[Luthair]

Its not actually about running malware. ASLR protects the user against bugs in applications by making it more difficult for attackers to trigger the execution of arbitrary code.

Re:ASLR was a dumb idea while it lasted

What do you think arbitrary code usually is? Malware. It's an attack. They're not attacking for no reason if they're doing this.

Re:ASLR was a dumb idea while it lasted

[AHuxley]

AC the ads you see on web sites push the malware down onto Microsoft operating systems. Don't let ads run or use Microsoft. Also consider the motherboard and CPU as an issue now too..

Re:ASLR was a dumb idea while it lasted

[Luthair]

Wrong. ASLR is for legitimate applications (and OS code) which might have unsafe input (e.g. images, webpages, etc.)

Re:ASLR was a dumb idea while it lasted

What do you think arbitrary code usually is? Malware. It's an attack. They're not attacking for no reason if they're doing this.

A virus is more like it.

Malware is a term we coined for stuff the user clicked "I Agree" on and installed intentionally. Virus scanners couldn't write signatures for them without getting sued. That's the gist of it anyway. Fine, use it for "all other types bad software", but we did already have a word for infecting another executable...

Re:ASLR was a dumb idea while it lasted

[K.+S.+Kyosuke]

So the answer is actually "write correct parsers"?

Re:ASLR was a dumb idea while it lasted

Malware is a broad term that encompasses viruses, worms, etc. and achieved widespread use because it's a lot simpler than trying to explain the nuance that separates a trojan from a virus to a layman. There was a void that needed filling, and Malware hit the spot. Ironically, the description that you have attributed to malware is actually known as Grayware. I would much rather someone correctly use the more general term, malware, to describe a virus than incorrectly use the term virus when referring to a trojan.

Re:ASLR was a dumb idea while it lasted

[DarkOx]

Yes it is but people have been trying to do that for 40 years and have not gotten it right yet so...

Re:ASLR was a dumb idea while it lasted

[epine]

Yes it is but people have been trying to do that for 40 years and have not gotten it right yet so...

Wrong. Plenty of code correctness has been deployed in service of this goal.

Unfortunately, there are endemic economic and political reasons why we constantly choose the protocols and implementations that are bigger, hairier, and less continent.

All you need is a culture of kicking non-conforming implementations to the curb, and then the rigorous implementations have a chance to emerge from the weeds. Do we have such a culture? No—most of the time—no, we do not. Such a culture would cramp Megacorp style, and interfere with timeless value-adds, such as embrace and extend, closed ecosystem, DRM jungle, NIST-sanctioned algorithmic weevils, definition by implementation, documentation by implementation, etc. etc.

Far, far away in dull and dusty places like the Erlang OTP or Bernstein's qmail or Knuth's TeX—or perhaps even the Google protocol buffers for at least one lucky and unusually blessed language binding from the somewhat recent past—you just might find a rigorously coded parser or two.

For the most part, however, I agree. We'll probably never have rigorous parsers in a dominant culture of "screw everyone else", Wild West dysenteroperability.

Re:ASLR was a dumb idea while it lasted

Similar helpful advice is "Don't get cancer" and "Don't have accidents".

Re:ASLR was a dumb idea while it lasted

[Luthair]

That is part of it, but the software effectively needs to be perfect as once the data is loaded it is used in the system this is why fuzz testing covers valid input too.

Enhanced Mitigation Experience Toolkit

The Enhanced Mitigation Experience Toolkit, which is offered by Microsoft for the Windows operating system, provides a software implementation of Address Space Layout Randomization (ASLR), in addition to what is or is not provided in hardware, but that's not all. The software also offers Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), Certificate Trust (Pinning) and blocks untrusted fonts. Granted, this is an optional add-on for Windows that requires some expertise on the part of the user to make the best use of, but in knowledgeable hands tools like these can be used to further enhance the security of the system by making it that much harder for attackers to successfully inject executable code into the address space of privileged processes.

Re:Enhanced Mitigation Experience Toolkit

Nadella, was that you?

EMET has already been exploited anyway.

Re:Enhanced Mitigation Experience Toolkit

[DarkOx]

EMET on Windows is a great tool! What a name though, only the Microsoft marketing droids could invent that one. "Mitigation Experience" never in a million years would it have occurred to me I should be concerned about my experience mitigating something. Thanks marketers!

BULLSHIT!

Apps don't execute code. Since these idiots don't undertstand this, dismiss it as the nonsense it is.

Re:BULLSHIT!

Apps execute plenty of code. There's a whole Android NDK to compile native code that runs on the target processor. I'm running an app right now that only uses a small amount of Java for the user interface and the bulk of the app is coded in C.

Re:BULLSHIT!

[scdeimos]

Apps don't execute code. Since these idiots don't undertstand this, dismiss it as the nonsense it is.

FYI iOS apps are compiled to binary code, which is why you can't use any dynamic runtime code generation on them, and so *could* be vulnerable to this type of attack. i.e.: from C#-based Xamarin apps you can use Reflection.Emit to generate code at runtime on Android, OSX and Windows (which leverages the JIT features of .NET/Mono/Dalvik), but you can't do this on iOS because they're pre-compiled for specific processors before getting packaged and uploaded to iTunes app store.

Man... oh man....

[alexborges]

I've been a true blue IT pro foss loonix guy for most of the last 16 years. And every year. Nay. Every 6-10 months some hardware designed to "thwart" crackers, and other crypto attackers goes the way of the dodo.

I think the industry looks at security the wrong way and the lulzsec guys weren't wrong in that ideological rant they made. You can't predict the unpredictable. Firewalls aren't a wall in any meaningful sense. "Software defined" networks are just a catchphrase for networking complex things in a dynamic manner. Intrusion Prevention Systems do not prevent. Hell, if you let your cisco guy deploy it, it wont even log a thing and when it dies you will have no idea why.

Bollocks, Shenanigans and costly Stupidity (don't get me started on "hardware routers" or "storage networks"). This is what I have found in my years in the battlefields, young grasshoppers. And a deeply felt wish that I had chosen archeology instead.

This is one way.

[Bob_Who]

Imagine the infinite ways of using other people's computers without their explicit permission.

Re:This is one way.

Show me your open firewall port, baby. Yes, just like that. Now get ready to receive.

Re: This is one way.

Haha, just lay low and let them come to you. Serve an ad.

I have a secure Babbage computer

[BoRegardless]

I will guarantee can't be hacked electronically and will sell you one.

Re: I have a secure Babbage computer

Holy shit, I totally forgot about Babbage!

Re:Man... oh man....

[moxsam]

The grass is always greener...

I wonder how many archeologists with bad pay wish they had become an IT professional instead.

Hopefully this doesn't result in

[kungfuj35u5]

removing the BTB entirely. I've seen libraries rip out faster routines or add some nondeterminism to the latency just so that it could mask such a "hot cache" vulnerability. It seems a bit backward to rip out a performance enhancing capability in the architecture just because of ASLR bypass.

Re:Hopefully this doesn't result in

Or just make it part of the context of each process that has to be switched out...

Obviously the problem is making it a global resource.

Re:Hopefully this doesn't result in

[ameline]

There are a number of alternatives -- flushing the BTB on ring switch seems a reasonable starting point. It should eliminate most privilege escalations.
Making the address randomization affect bits outside the range seen by the BTB indexing scheme would also make the attack much more difficult. This would require some non-trivial OS kernel changes

The BTBs themselves can be multi-level and pretty large -- they could form part of a process context, but they'd add several kbytes to it. There is no hardware support to save/restore this resource, and it'd have to be *fast* to be of any use. For paranoid people, flushing the BTB on every process (not thread) switch would pretty much stop this attack in its tracks, with a small performance penalty.

It's not clear that making the BTB part of the process context would make things faster overall -- you'd get better prediction, and worse ctx switch overhead. It's not clear to me which would win.

Re:Man... oh man....

[AHuxley]

If the NSA says the big US brands they work with are safe, buy them and enjoy the US industry standards.
Stop making networks interesting. Put PR on the internet when the project is done and ready for sale.
Until then keep everything secret.
Doing code work for years on internet facing networks on hardware designed for easy police and security service access is just a big risk.
Too many nations, their staff, ex staff, cults and smart people have the keys or know of the trap doors and backdoors.

Shitty summary

They attack the kernel ASLR (or some other program running as root).
Without that critical information the summary makes no sense, since what would be the point of defeating ASLR if you can already run arbitrary code?
Browsers might need to be careful that something similar isn't possible via Javascript, but I suspect as long as no sufficiently precise time source are available it should be ok, but that isn't the subject of the paper.
A lot of people have said before that kernel ASLR is crap anyway, and I don't think ASLR was meant to protect much against local attacks.
That puts this into the "interesting, but not very relevant for most" category. If you already are executing malicious code on your machine, I am not sure that the jump to root/kernel permissions makes things all that much worse in most cases, especially since you STILL need to have an exploit.

Re: Shitty summary

[backslashdot]

Uh ok, but then what was the point of ASLR all along?

Re: Shitty summary

[Megol]

Making some kinds of exploits harder to do. Harder - not impossible. Que the "security by obscurity isn't security" crowd that never got that layered security is a thing...

Re: Shitty summary

To prevent someone who cannot yet execute any CODE on your machine from sending you malicious DATA that makes you execute whatever the attacker wants you to execute.
ASLR is there and still works for ensuring that LOOKING at something a random person sent you (data) is (mostly) safe compare to RUNNING something a random person sent you.
Which is very important, since your computer all the time shows you data from untrusted people, while personal desktop computers will not run all kinds of code sent to it from outside without asking (JavaScript being the most important exception, though that is still not running specific machine code).

Re: Shitty summary

[mr_mischief]

Obscurity doesn't hurt, but don't count on even several layers of it without some rigorous security design, too.

And there goes Intel SGX down the drain...

...again. Provided this screwup is on Broadwell and Skylake, which is not a far fetched possibility *at all*.

Intel SGX is all about running secret code on untrusted processors, and this kind of side-channel allows one to probe inside the SGX container. One of the useful (read: non-DRM-crap) uses for SGX would be to implement secured data+code areas to run crypto-sensitive portions of SSH, GnuPG, etc. Unfortunately, branch probing is good for a lot more than defeating ALSR, you can actually, when one is unlucky, probe into code that is manipulating secrets, thereby leaking bits of private keys, etc.

Re: And there goes Intel SGX down the drain...

I thought Intel said that SGX does nothing to protect against side channels.
https://software.intel.com/en-us/node/696952

Why do you think this side channel cause problems for SGX?

+5 realy?, This works against the Win version too

It is an exploit of the CPU's cache, a cache collision attack, if your data's location is referenced in the "Branch Target Buffer" cache then it is vulnerable, if you can find the location table random locations are meaningless. As such this threatens all software implementations Windows, Linux, whoever does it they are all vulnerable unless they find and implement a way of avoiding the collision or removing themselves from the cache (at a performance cost).

Maybe it was just a gimmick?

Maybe Intel didn't really have security in mind when the implemented this, is what I am thinking, not being an expert.

Remote exploit

[DrYak]

TL;DR: because of this bypass ASLR cannot prevent local privilege escalation. but ASLR can still prevent remote access.

The point of ASLR is that it's not easy to determine where the functions are located in memory.

So, if there's an exploit where you can force code to jump at some specific point in memory, you cannot use this exploit to call the function you want because you don't know where they are.

(e.g.: stack smash. Overrun some temporary buffer that is stored on the stack buffer, up to the point where you can overload the return address. So once a function finished, it's doesn't jump back to the caller [it doesn't return] it jumps instead to the address you've overwritten [it jumps to the next function you want to abuse as part of you exploit] )

2 possible situations:

- You've already managed to get (user-level) shell acces (or at least run any payload of your choosing). You want to escalate privileges up to root. You know of a bug in some kernel piece of code that you can try to exploit. ASLR would prevent you from doing it because you don't know where the piece of code is exactly in kernel memory space. So you run the bypass proposed by the researcher and you obtain a list of where is what.
Now you can run your exploit, and gain root.

- You're outside the machine. You want to get remote access. You know a bug in some code (be it kernel or userspace) that could be exploited. But you need to jump into specific function whose precise location in memory you don't know because of ASLR.

So ASLR won't block local privilege escalation anymore (because when you have local access you could defeat ASLR's randomisations)
But ASLR will still block remote access (without local access, you can't get a map of all ASLR-ised functions you need to inject in your remote exploit).

Re:Remote exploit

[TheRaven64]

Most attacks these days are a sequence of memory safety violation followed by memory disclosure followed by arbitrary code execution. ASLR is meant to make the memory disclosure part harder, but there are now half a dozen known attack techniques that allow ASLR to be bypassed. Off the shelf attack toolkits will include these mechanisms, so it's a mistake to assume that an attacker won't be able to bypass it. It increases the barrier to entry from script kiddie with 5-year-old toys to script kiddie with new toys.

Re:Remote exploit

TL;DR :: Security by Obscurity is inherently no security at all.

Randomizing code locations only raises the bar a hair, but the information is stll there, so like DVD DRM, this box isn't really locked because the key is right here...

Re:Man... oh man....

[ArchieBunker]

You should read up on the AS/400 Architecture. So different from the PC word and much more logical, no such thing as device drivers and buffer overflows can't happen.

Re:Man... oh man....

Yes I read the Soltis book recently.

The x86 is collecting so much crap these days much of which doesn't work for anything but marketing and your electrical supplier.

I'm all for IBM sorting out POWER.

The breakdown.

Age, Sex, Location....
Religion?

1 thing AMD & Intel can do is... apk

See subject: Stack smashing protection via CPU hardware "shadow stacks" mirroring the "real" stack vs. changes - they do that? It'll stop buffer overflow type attacks & 'stack smashing'... it'd supplement OS + software & compiler protections vs. it as well (along w/ better programming practices).

* I'm personally surprised it's never been implemented!

(Not EXACTLY "on-topic" here but there 'tis...)

APK

P.S.=> It'd work... apk

Re:1 thing AMD & Intel can do is... apk

Wouldn't a HOSTS file protect against this exploit?

Re:Man... oh man....

Re: "...no such thing as device drivers..."

Ah, what the hell do you think a *DEVD is?? (That's a Device Description, for those not familiar with the iSeries, née AS/400 architecture).

The AS/400 couldn't print to non-IBM printers back in the early 90's because the needed Device Descriptions didn't exist. IBM wouldn't make them because they 'only supported IBM equipment' and the OEM printer manufacturers wouldn't make them because the AS/400 market was too small and they didn't have access to the equipment and expertise needed. Finally, IBM relented and created the *DEVD objects needed, but it took years of pressure from the customer base.

For those knowledgeable readers who object and say "oh yes there was a way to print without native *DEVD support", save your breath. I know all about PC/Support hosted printers, emulated printers, OS/2 supported printers and all the rest. They were all hacks and workarounds designed to get around the limitations caused by the absence of native OS/400 support. They increased the complexity of your environment, introduced multiple new failure modes, increased costs, and good luck getting support for those solutions.

Support in the AS/400 world is a big deal, a really big deal. Though there are limited exceptions, the vast majority of the AS/400 customer base hates unsupported solutions. Many won't run unsupported workarounds at all as a matter of policy.

Re:Man... oh man....

Every 6-10 months some hardware designed to "thwart" crackers

Except this time it is the hardware compromising the software mitigations against crackers. All because of the "relentless pursuit of performance" and "time to market".

Security is not foolproof

[ilsaloving]

You will never have perfect security. There is no such thing. All you can do is put up sufficient roadblocks that a miscreant will give up before they are successful.

And all the security measures in the world arn't going to make a lick of difference if the user opens the door and waves the bad guy in.

Re:Security is not foolproof

I think it is a disservice to everyone to bring about such a vague point as "you will never have perfect security", as if alluding to an impossibility of working TOWARDS having good security (for something).

Perfect = not necessarily ideal, yet you would probably appreciate any great effort into providing security I am sure

So, perfect security is sort of a thing I would argue, because the word "perfect" isn't as clear as anything being an "ideal". To say otherwise is probably wrong, and such phrased arguments I think sort of makes a mockery of wanting to have good security (for something).

An interesting problem I'd say, with the word "perfect", is that the word "perfect" isn't very meaningful by itself, or rather it would be meaningful in the sense of something being considered perfect (because of something in particular), as in good enough after the fact.

The same way people shouldn't simply argue or believe that something is "perfect", paradoxically, they also shouldn't claim that things can't be perfect either.

If one want to invoke a sense of skepticism regarding computer security, I think one would do everyone a favor by being very specific in explaining just why security in general (or for some specific set of issues) won't have issues with catastrophic failure, instead of dumbing things down to meaningless fatalism, as being a naysayer helps anyone.

I wish the security community would use the phrase "catastrophic failure" more often when talking about the consequences of failing security concepts, to hammer in the point of something being woefully inadequate (because of reasons ofc).

No, & yes... apk

No in it doesn't function vs. technical weakness in buffer overflow stack smashing but it does vs. attack sources & malware infiltration/infestation via say, maliciously scripted sites or malware being downloaded + even email malicious payload links blocked out - after all - you CAN'T be harmed by what you CANNOT touch in the 1st place...

* How's that?

APK

P.S=> Yes, I know you're just "unidentifiable ac trolling me" but the point of stopping stack smashing attacks via shadow stack implementation (not in software but rather hardware) is a good idea & method of prevention... apk

VERY good, but... apk

"Overrun some temporary buffer that is stored on the stack buffer, up to the point where you can overload the return address" - by DrYak ( 748999 ) on Thursday October 20, 2016 @08:17AM (#53114013)

See subject - Here's a way to do it in "Return Oriented Programming":

pop %ebx
pop %eax
ret

&

mov %eax, (%ebx)
ret

* 1ST pulls 2 values off the stack storing them in the registers ebx & eax ... 2nd writes the contents of eax into the memory address pointed to by ebx.

(Together they let you edit content of any memory address a currently targetted running thread has rights to change via "arbitrary write"...)

Malware's that do 'stack smashing' do this all the time...

APK

P.S.=> Which is WHY I posted what I did to STOP IT GOING ON (done in cpu 'shadow stack' construction comparison mirroring) & YES, it'd work-> https://news.slashdot.org/comments.pl?sid=9791849&cid=53114763/... apk

Re:VERY good, but... apk

Stop pretending like you invented Intel CET.

"P.S.=> Which is WHY I posted what I did to STOP IT GOING ON (done in cpu 'shadow stack' construction comparison mirroring) & YES, it'd work-"

What you did to stop it? All you did was plagiarize some example code from "The Register" and paraphrased their explanation almost verbatim like you have any clue what you are talking about. Did you real think copying some assembly instructions meant to illustrate a concept to lusers and PHB's and pasting it to Slashdot was going to fool actual technical people? Do you think we are impressed? This is just sad.

Here's the article from The Register that you should have cited rather taking credit for this "invention" yourself (and it wasn't even invented by Intel in the first place):
http://www.theregister.co.uk/2016/06/10/intel_control_flow_enforcement/

And here's the Intel CET specification if you want to point out what page your work is on:
https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

Chicken and egg

[manu0601]

That looks like a chicken and egg problem:

• You want to execute some code using a buffer overflow.
• And to perform the buffer overflow under ASLR, you need to execute some code to break it.

I didn't say I invented it... apk

I said it works & what I did is more than YOU have APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?... which protects vs. infectors + speeds you up (doing more for less...)

APK

P.S.=> See subject - you fail... apk

Re:I didn't say I invented it... apk

You said nothing about hosts files in your op, I'll quote again, "P.S.=> Which is WHY I posted what I did to STOP IT GOING ON (done in cpu 'shadow stack' construction comparison mirroring) & YES, it'd work-". What did you do related to "done in cpu 'shadow stack' construction comparison mirroring" to stop it going on? Do you have an implementation? A specification? A prototype? You did... a hosts file engine??? Mind you, the word "hosts file" was never mentioned in your original post. Just a direct copy of someone else's work, almost word for word, with no attribution, followed by wording to make it look like it was an original idea on your part. That's called plagiarism. How would you feel if I started copying your rabid proselytizing about hosts files in an effort to draw attention to my own work? You'd probably stalk me around the internet and threaten to sue me. Which is why people reply to you anonymously, because a lot of us are actual professionals and don't need that kind of garbage following us around in our actual lives, especially those of us who work under any sort of security clearance.

I've seen plenty of people try to sanely explain these things to you, and I don't expect you to respond rationally, you've been at this for the better part of a decade. There's a big difference between someone popping off barely useful Windows utilities in Delphi and actual IT professionals and research doing the things you can only pretend to be a part of. I feel bad because obviously you suffer from some sort of mental ailment and I realize that these common sense things are well beyond your comprehension and you probably cannot control this behavior. But the fact stands, plagiarism is plagiarism, and you are a plagiarist.

What've you done better?

See subject: My program stops things like this that must be delivered 1st. Hosts stall that if host-domain name served (9/10 are).

On CET etc.: I never said I INVENTED IT, so quit trying to put words in my mouth I never said fool!

I'm pointing out useful fixes, you're not!

(Which I saw a long time back as useful info in a security data textfile I jot things in & remembered it'd apply here but I had no cited source for it there - does it matter? It works!)

On "sanity" Mr. "SiDeWaLk-ShRiNk of /."?

You troll by unidentifiable ac posts & fail repeating that same mistake over & over vs. me expecting diff. results = a definition of insanity

You're insanity's "ne'er-do-well" poster child (lol).

APK

P.S.=> I've obviously crushed you before - hence, your unidentifiable ac trolling post... apk

ASLR is *NOT* Obscurity, quite opposite

[DrYak]

(Obscurity. You keep using that word, I do not think it means what you think it means)

ASLR is NOT obscurity.
ASLR is quite the opposite : it's a way to mitigate obscurity.

(Just like a password is NOT security through obscurity).

A kernel without ASLR is obscurity: you count on the attacker not known where the kernel (or any other critical software) stores its code.
Once the address map is known, every single instance of this kernel (or software) everywhere on planet Earth is at risk.

With ASLR (which is, in Linux kernel case, publicly documented and known - exactly as any cryptographic algorithme - the exact opposite of obscurity), every single instance can, based on a small random token (which plays the same role as a password or a private key in a cryptographic system), can manage to hide *its own peculiar instance of stuff* from a potential attacker.

Knowing how ASLR works isn't critical (and in Linux case, it's actually documented).
Knowing the token (=the password) is the critical step.
It's not "Security through Obscurity", it's side channel attack (= managing to guess the security key by using a feature of the Haswell CPU that locally leaks the information - the "clear text").

Security through Oscurity is hoping that nobody actually understands how your magical security solution works under the hood.
If anyone gets to know the internals, the *whole technology* is toast for ever.

Cryptography and other forms of sensible and modern security is the opposite: it counts on a technology that is as widely known and published as possible (so it undergoes as many tests and reviews as possible, to make sure it is sound).
If something is kept secret, it's a small token, a number, a code, a key. Just a piece of data. Not the actual open standard code which will process the data.